Skip to content

v0.0.3

Choose a tag to compare

View all tags
@Kludex Kludex released this 07 Jun 13:43
· 83 commits to main since this release
v0.0.3
0f390aa
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

zttp is a sans-IO HTTP/1.1 parser for Python with a Zig core.

Warning

zttp is experimental. The API and behaviour may change at any time, and it is not yet ready for production use.

Security

  • Two adversarial security audits (a code-level review and a CVE-driven review against real HTTP-parser CVEs across Node, Go, Python, Rust, and C servers). zttp resists the known historical parser-CVE classes.
  • Hardening from the audits: parse errors are now terminal (a desynced connection can't be revived via start_next_cycle), the serializer refuses ambiguous framing (Transfer-Encoding + Content-Length, duplicate/non-digit Content-Length), the version parser is restricted to HTTP/1.x, the status reason-phrase rejects control bytes, and an oversized receive_data raises RemoteProtocolError.
  • Added THREAT_MODEL.md.

Packaging

  • Wheels for Windows (amd64) and musllinux in addition to manylinux and macOS - full parity with httptools' platform reach.
  • Build migrated to the shared hatch-ziglang hook.

Documentation

  • Documentation site deployed to Cloudflare, with an mkdocstrings-generated API reference, object cross-references, and a mermaid architecture diagram.

Install

pip install zttp

Full changelog: v0.0.2...v0.0.3

Assets 2
Loading